One-Size-Fits-All Doesn’t Make Sense

Every organization has its own unique set of business objectives, compliance requirements, policies, procedures, and technology solutions. As a result, it also has its own unique set of threats, vulnerabilities, and risks. Traditional approaches to cyber risk management, including one-size-fits-all checklist assessments, spreadsheets, or paper-based systems, can not address the unique needs of your organization and often do not meet HIPAA Compliance requirements.

cyber risk management

Get a Clear Perspective on Cyber Risk

Designed for healthcare, Clearwater’s Enterprise Cyber Risk Management Solution (ECRMS) provides full visibility into where your greatest exposures lie. Unlike antiquated spreadsheet-based assessments, our IRM|Pro® Software as a Service (SaaS) is designed to adapt dynamically to your organization’s specific systems and processes out of the box. In addition to facilitating the ongoing enterprise-wide evaluation of threats to your information systems, we enable you to effectively manage risk remediation actions, thereby improving your security posture.

Manage Cyber Risk Right®

cyber risk management
  • Follow NIST standards – NIST SP 800 series implemented out of the box
  • Assess risk for every ePHI information system, ensuring that there are no gaps
  • Understand which risks are the highest based on likelihood and impact
  • Reduce residual risk through risk remediation workflow management
  • Stay ahead of the evolving threat landscape with ongoing risk analysis
  • Monitor the cyber risk management system through built-in dashboards
  • Gain centralized, up-to-date documentation of your risk management process
  • Avoid OCR fines with an industry-proven, by-the-book risk analysis solution

Holistic Enterprise Solutions Built for Healthcare

Our industry-leading ECRMS for healthcare, complete with our IRM|Pro® software, manages all of your risk analysis and risk response needs. We create best-in-class OCR-Quality Risk Analyses™ for hospitals, health systems, and their partners that evaluate the threats to all information systems, in all locations, including assessing the likelihood and impact of a breach.

Services and programs include:

Industry Proven. Rapid ROI.

industry proven cyber risk management
  • 100% OCR acceptance of our risk analysis—don’t take chances
  • Prevent breaches and keep patients safe with the most comprehensive solution in the industry
  • Stay ahead. Vulnerability and threat scenarios are updated by Clearwater on an on-going basis.
  • Optimize IT spending through prioritization of security projects
  • Increase efficiency with a streamlined, automated risk analysis and risk management process—no more spreadsheets!
  • Avoid fines and penalties—benefit from proven success
  • Efficiently address HIPAA and Promoting Interoperability (formerly Meaningful Use) requirements

Strategic Advisory Services

Learn about our OCR Enforcement Assistance, Strategic Security Roadmap, and more.

Based on all I’ve seen over the years, Clearwater’s risk analysis methodology and software are in the best-of-breed tier and can be seriously considered by any organization striving to meet regulatory requirements in performing HIPAA risk analysis.

Former Director, HHS Office for Civil Rights /
Partner, Seyfarth Shaw LP


Risk Analysis

Comprehensive Cybersecurity Starts Here

Conducting an enterprise-wide, information system-based HIPAA risk analysis that adheres to OCR’s guidance and provides full visibility into your organization’s exposures is no small task. A by-the-book approach to HIPAA risk analysis can be overwhelming unless you have the right tools and resources in place. Clearwater provides the most comprehensive NIST-based Security Risk Analysis solution available. Powered by IRM|Analysis™, our solution has a 100% acceptance rate from the OCR.

How we do it:

Our HIPAA Risk Analysis solution combines our proven methodology with our proprietary IRM|Analysis™ SaaS platform to deliver the most comprehensive risk analysis available. Clearwater’s risk analysis solution maps to the specific systems and processes in your organization and gauges risks based on the likelihood of a threat exploiting a vulnerability and the resulting impact to your organization. Rely on our expertise and systematic approach to conduct an OCR-Quality Risk Analysis™.

Deliverables include:

  • Subscription to our industry-leading IRM|Analysis™ software
  • A detailed Risk Analysis Findings, Observations, and Recommendations (FOR) report
  • A risk registry and other reports for Promoting Interoperability (formerly Meaningful Use) Attestation and OCR inquiry response

Risk Response

Be Clear. Be Confident. Be Thorough.

Risk response is part of the ongoing process of managing risks identified during risk analysis and is a key step in the overall NIST Risk Management Process. Risk response should be conducted in a methodological manner with adequate identification of owners, alternatives considered, documented decisions, and implementation planning, as required under the HIPAA Security Rule.

How we do it:

Clearwater employs a proprietary methodology based on years of experience working with clients to create OCR-Quality responses that deliver results. We leverage our OCR-Quality Risk Analysis™—populated in our IRM|Analysis™ software—and our professional services team to manage the entire process based on our careful study of the explicit HHS/OCR guidance and NIST SP 800-39 – Managing Information Security Risk.

Program features include:

  • Introduction to workflows for completing a NIST-based risk response
  • Historical documentation of alternatives considered, investment options, decisions made, tasks assigned, and responsible parties
  • Project management through completion
  • The option to complete the work under direction of outside counsel
  • Periodic project status reports
  • Risk Response Planning Executive Summary Report

Cyber Risk Services™ (CRS)

A Strategic and Complete 3-Year Program

Hospital leaders tell us there is a lack of skills, knowledge, experience, and funding to stand up, operate, and maintain an effective cyber risk management program that will protect patient information, ensure patient safety, and safeguard a hospital’s finances and reputation.

How we do it:

Clearwater CRS combines its award-winning IRM|Pro® ECRMS platform, expert professional services, and proven methodology to rapidly build your cyber risk management program. We also work with you to help you assess, respond to, and manage cybersecurity risks on an ongoing basis. We offer three levels of service at fixed monthly fees to ensure predictable costs that won’t break your budget and that match your specific needs. Levels include:

  • CRS Essential—best suited for community hospitals, small regional hospitals, medical practice groups, business associates
  • CRS Plus—best suited for small IDNs, regional health systems, 50+ medical practice groups, large covered entities
  • CRS Enterprise—best suited for large IDNs, select and other covered entities

Vulnerability Assessment & Penetration Testing

A Full Suite of OCR-Quality Testing Services

Conducting an OCR-Quality Technical Evaluation required by 45 CFR §164.308(a)(8) helps organizations test the effectiveness of the controls they’ve implemented and meet the explicit HIPAA Security Rule requirements for periodic technical evaluation.

How we do it:

Clearwater’s award-winning security experts combine its cutting-edge tools, comprehensive manual testing, and unparalleled real-world technology experience to improve your overall security posture through this important monitoring activity. We identify weaknesses that could be exploited, conduct a series of authorized simulated attacks, and conduct a vulnerability and penetration test of your wireless network as well as other important assessments and tests. The service includes:

  • Internal and External Vulnerability Assessments
  • Penetration Testing
  • WLAN Security Testing
  • Web Applications Testing
  • Network Architectural Assessment
  • Security Awareness Assessment

NIST Cybersecurity Framework Adoption

Taking a Step Beyond Compliance

Information security risk management has been a long-standing requirement in healthcare privacy and security regulations. However, compliance with regulations does not necessarily imply an organization has a secure information systems environment.

How we do it:

Clearwater’s NIST Cybersecurity Framework Implementation WorkShop™ assists your organization in adopting the government recommended cybersecurity framework while offering education, procedures, and software to help you strengthen and maintain your information security program. The service includes:

  • Documentation your current profile and implementation tier
  • Defining your target profile
  • Creating an action plan to achieve your target profile
  • Dynamic dashboards showing current implementation and any gaps

Virtual CISO

From Interim to Full-time Virtual CISO

Lead.  Establish.  Implement. Mature. Improve. A completely tailorable service based on your own compliance and cyber risk management requirements. A service that comes complete with our SaaS-based, IRM|Analysis™ to help create an OCR-Quality Risk Analysis™. Services can be delivered both on-site and remotely.

How we do it:

Let Clearwater augment or fill your security and risk management staffing requirements with knowledgeable, experienced individuals to help you achieve your compliance and cyber risk management program goals. We can provide program leadership and advisory services, formalize information risk management program governance, and develop security and information risk management policies and procedures as required.

Other tasks can include:

  • Security and information risk management training and education
  • Completion of all regulatory-driven security assessments
  • Establishment of a third-party risk management program
  • Risk Management Program Maturity Assessment

Third-Party Risk Management

Achieve Visibility and Manage Your Business Associates

Third-party cybersecurity risks are increasing in intensity and complexity threatening the critical data you entrust to your business associates. Clearwater can establish or strengthen your business associate risk management program helping you obtain the assurance you need that your BAs are safeguarding the information entrusted to them in order to reduce the risk of reputational and financial repercussions to your organization.

How we do it:

Our 3-Phase Risk Management Process begins with a complete inventory of your BAs and their agreements.  Phase two identifies high-risk business associates (BAs), distributes attestation questionnaires, and determines follow-up actions. Phase Three updates executives and your Board through a Findings, Observations, and Recommendations (FOR) report.

Program features include:

  • Establishing a baseline of the current BA program
  • Identifying key BA risk management capabilities for improvement
  • Developing a prioritized roadmap for implementing the FOR
  • Leveraging industry-leading assessment tools and templates

HIPAA 10-Point Assessment

Where Do You Stand? What to Do Next?

Find out where you stand and get a clear plan of action with our tactical assessment of your current HIPAA compliance and cyber risk management program. Meet the challenges of increasing interoperability and data-sharing while being confident that your organization is following HIPAA regulations.

How we do it:

Clearwater’s cybersecurity and HIPAA compliance assessment is an effective diagnostic tool that is carried out by our seasoned professionals, assessing your cyber risk management and HIPAA compliance program effectiveness in 10 critical areas to show you what you need to address or modify, including:

  • Risk analysis
  • Risk response
  • Security non-technical evaluation
  • Security technical evaluation

Medical Device Security

Comprehensive Cybersecurity & Risk Management

Unauthorized access to biomedical devices may not only threaten confidentiality of ePHI, but could also compromise availability of service and integrity of data critical to patient care.

How we do it:

Clearwater provides a comprehensive medical device security and risk management solution which includes the discovery, inventory, and categorization of medical devices based on patient safety risk and other criteria. This risk management solution provides you with actionable insights, workflow management, and documented remediation actions. Program features include::

  • Improve lifecycle management
  • Actionable insights to critical vulnerabilities
  • OCR-Quality Risk Analysis™
  • End-to-end risk management
  • Prioritize security actions

M&A Due Diligence

Upgrade Your Customary M&A Due Diligence Process

Assess cybersecurity before closing on any investment to avoid financial penalties or possible negative media exposure. Identify key cyber risks, security, and compliance gaps that could impact your investment.

How we do it:

Designed for private equity firms, law firms, and healthcare organizations that are involved in M&A transactions of healthcare entities. Clearwater conducts an efficient evaluation of cybersecurity and HIPAA Compliance risk of the target investment and provides options to match your budget, timing, and scope, as appropriate. In as little as 30 days we deliver an Investment Committee-ready report and identify specific actions that can be taken to resolve critical risks.

Areas of discovery include the completeness of:

  • HIPAA Compliance
  • Cybersecurity program
  • Business Associate/vendor risk management
  • Privacy, Security, and Breach Notification Policies and Procedures

What If OCR Contacts Us?

To date, there have been more than 66 Office for Civil Rights enforcement actions. Ninety percent of those enforcement actions relating to ePHI included adverse findings in an organizations’ risk analysis and risk management.

Clearwater-provided risk analyses have a 100% acceptance rate when submitted to OCR.